Bug 168420 - mod_ssl - CAN-2005-2700 "SSLVerifyClient require" possibly not enforced
mod_ssl - CAN-2005-2700 "SSLVerifyClient require" possibly not enforced
Status: CLOSED DUPLICATE of bug 166941
Product: Fedora Legacy
Classification: Retired
Component: mod_ssl (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Fedora Legacy Bugs
: Security
Depends On:
  Show dependency treegraph
Reported: 2005-09-15 16:55 EDT by Michal Jaegermann
Modified: 2007-04-18 13:31 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2005-10-24 02:01:12 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Michal Jaegermann 2005-09-15 16:55:00 EDT
Description of problem:

This is a quote from
which is an annoucement dated 2005-09-02:

'A subtle security bug (CAN-2005-2700) was discovered in mod_ssl where
where "SSLVerifyClient require" was not enforced in per-location context
if "SSLVerifyClient optional" was configured in the global virtual
host configuration.'

A version 2.8.12-8 showed up in RHEL updates with a fix for this bug.
At ftp://ftp.harddata.com/pub/Legacy_srpms/mod_ssl-2.8.12-8.legacy.src.rpm
there are corresponding sources which were used to rebuild fixed mod_ssl
on RH7.3 system.

This also includes fixes for some other possible problesm still present
in 2.8.12-7.legacy (see %changelog spec section for details).

Version-Release number of selected component (if applicable):
Comment 1 Pekka Savola 2005-10-24 02:01:12 EDT
This CAN is fixed in #166941 which is in updates-testing (which is tracked under
'httpd' -- this may be confusing, but mod_ssl ceased being a separate package
around RHL8..).

*** This bug has been marked as a duplicate of 166941 ***

Note You need to log in before you can comment on or make changes to this bug.